ansible ssh prompt known_hosts issue -


i'm running ansible playbook , works fine on 1 machine.

on new machine when try first time, following error.

17:04:34 play [appservers] *************************************************************  17:04:34  17:04:34 gathering facts ***************************************************************  17:04:34 fatal: [server02.cit.product-ref.dev] => {'msg': "failed: (22, 'invalid argument')", 'failed': true} 17:04:34 fatal: [server01.cit.product-ref.dev] => {'msg': "failed: (22, 'invalid argument')", 'failed': true} 17:04:34  17:04:34 task: [common | remove old ansible-tmp-*] *************************************  17:04:34 fatal: no hosts matched or hosts have failed -- aborting 17:04:34  17:04:34  17:04:34 play recap ********************************************************************  17:04:34            retry, use: --limit @/var/lib/jenkins/site.retry 17:04:34  17:04:34 server01.cit.product-ref.dev      : ok=0    changed=0    unreachable=1    failed=0    17:04:34 server02.cit.product-ref.dev      : ok=0    changed=0    unreachable=1    failed=0    17:04:34  17:04:34 build step 'execute shell' marked build failure 17:04:34 finished: failure

this error can resolved, if first go source machine (from i'm running ansible playbook) , manually ssh target machine (as given user) , enter "yes" known_hosts file entry.

now, if run same ansible playbook second time, works without error.

therefore, how can suppress prompt ssh gives while making ssh known_hosts entry first time given user (~/.ssh folder, file known_hosts)?

i found can if use following config entries in ~/.ssh/config file.

~/.ssh/config

# vapp virtual machines host *   stricthostkeychecking no   userknownhostsfile=/dev/null   user kobaloki   loglevel error

i.e. if place above code in user's ~/.ssh/config file of remote machine , try ansible playbook first time, won't prompted entring "yes" , playbook run (without requiring user manually create known_hosts file entry source machine target/remote machine).

my questions: 1. security issues should take care if go ~/.ssh/config way 2. how can pass settings (what's there in config file) parameters/options ansible @ command line run first time on new machine (without prompting / depending upon known_hosts file entry on source machine target machine?

the ansible docs have a section on this. quoting:

ansible 1.2.1 , later have host key checking enabled default.

if host reinstalled , has different key in ‘known_hosts’, result in error message until corrected. if host not in ‘known_hosts’ result in prompting confirmation of key, results in interactive experience if using ansible, say, cron. might not want this.

if understand implications , wish disable behavior, can editing /etc/ansible/ansible.cfg or ~/.ansible.cfg:

[defaults] host_key_checking = false

alternatively can set environment variable: 

$ export ansible_host_key_checking=false

also note host key checking in paramiko mode reasonably slow, therefore switching ‘ssh’ recommended when using feature.


-

Comments

Post a Comment

Popular posts from this blog

apache - PHP Soap issue while content length is larger -

we have developed soap based webservice post data third party webservice. accepts 4 params. in 1 of parameters accepts xml string no size limit restriction put in place. the webservice works fine in local environment running on php 5.2 , apache2. works content length long 10 mb. in staging server running nginx , php fpm.we have updated max post size , max upload filesize in php.ini , client_max_body param in nginx.conf allow upto 50 mb. but webservice client keeps on loading in staging environment. gives 502 timeout , gives soap error. can me understand issue here?
Read more

asynchronous - Python asyncio task got bad yield -

i confused how play around asyncio module in python 3.4. have searching api search engine, , want each search request run either parallel, or asynchronously, don't have wait 1 search finish start another. here high-level searching api build objects raw search results. search engine using kind of asyncio mechanism, won't bother that. # no asyncio module used here class search(object): ... self.s = some_search_engine() ... def searching(self, *args, **kwargs): ret = {} # raw searching according args , kwargs , build wrapped results ... return ret to try async requests, wrote following test case test how can interact stuff asyncio module. # here testing script @asyncio.coroutine def handle(f, *args, **kwargs): r = yield f(*args, **kwargs) return r s = search() loop = asyncio.get_event_loop() loop.run_until_complete(handle(s.searching, arg1, arg2, ...)) loop.close() by running pytest, return runtimeerror: task got bad yield : {results s...
Read more

javascript - Complete OpenIDConnect auth when requesting via Ajax -

the normal openidconnect server works like: you go a.com/secure-resource you 302 server your browser handles , sends identity server you login there it sends a.com via post you logged in on a.com , a.com/secure-resource on browser. however have scenario i'm trying solve need help. the user logged in on idserver the user logged in on a.com the user not logged in on b.com we need send ajax call web server b.com (from domain a.com ) b.com configured use openidconnect. but because request b.com via ajax, user cannot redirected idserver. (all in response 302 ) we can go ahead , handle 302 via ajax (i'm still not sure whether work, security-wise). but is there scenario in identityserver/openidconnect designed these situations? with identityserver in scenario setup server b.com use bearer token authentication, need use access token provided a.com in headers of ajax call $.ajax({ url: 'http://b.com', headers: { ...
Read more